Fish AKA Barry van Kampen
It is 04:30 AM, you are awakened by a text message, and your friendly IDS is telling you a bunch of disallowed systems are trying to connect to the internet. Within a few seconds you’re awake, adrenaline pumping through your body; the disallowed connections aren’t usual warnings like the truckload of false positives you handled yesterday. Apparently, the alerts were not so ‘false’ after all. It’s going to be a long, long day…
Intrusion is one of the first phases in the so-called network invasion, this story tells you about what could happen after the first intrusion, what you could do, and what you shouldn’t do.
—- —- —- —- —-
Everywhere you go there are hacks, and everybody gets hacked eventually.
Invasion is a step beyond being hacked.
The information your company holds could be stolen and sold.
WTF is network Invasion?
- Hackers & crackers (hackers aren’t the bad guys)
- Organized crime
- People who can make money from it
How to get invaded
- Hack is being made
- A first system is being owned
- Level 2 attack
- Hack into the inner network
- Setup communications
- To transport information out
- Maintain access
- Wait for the good info, sell it, use it, …
Ways to get invaded
- Zero days
- Targeted attacks
- Insecure wireless
- Wardialing – Modem access
- Custom/Prepped Hardware
Not all attacks have to be bleeding edge or highly technical… old modem attacks, physical access, and social engineering do it just as well.
Maintaining access –> custom or purpose written malware/trojans. Custom written code is worth the investment if an attacker can make money from the attack.
- Patch Management / LCM
- Faulty code
- Application vulnerabilities
- SQLinjection etc…
- Human Error
- IDS False Positives
- Real attacks can get lost in amongst a flood of False Positives
- It can start at home!
- Password stealing
- See recent Facebook attack
- Strange patterns
- Many companies have logs and monitoring, but fail to do full analysis
- Not much trend analysis
- System Maintenance
- Log checking –> People don’t check their logs enough
- SSH brute-force on your external IP is to be expected
- SSH brute-force on your internal network is bad!
- IDSs are providing alerts
- Mixed amongst other false positives
Gathering information from different sources can be a problem. Communication is key, but you don’t know which communication channels are still secure.
If the team is too large, maybe somebody in the loop, is also involved with the attack. Keep things need to know. Give heads up to other teams, but don’t provide more information than is required to achieve the task.
What to do?
Response based actions
- Find the source and method of attack, monitor, block, fix
- Check network traffic
- Use Anti-malware software
- Can’t help against custom attacks
- Apply software control
- Information flows
The Big Search
- Search for changes on the network
- Check file systems
- File integrity
- Must have hashes of known good files
- Do comparison using trusted binary
- Blacklist checks
- Whitelist checks
- Reinstall it all!
- Risk reduction
- Have to be sure you solved the issue
- Is the invasion gone
- Is the flaw fixed
Be pro-active = being prepared
Incident response policy should be in place
- A team with guru’s
- Mandate to do what is required
- External contracts / contacts
- Ability and permission to reach out to trusted 3rd parties
- IR is the first part of forensics
- Be sure of legal issues
- Speak to legal department if you have one
To be more pro-active
- Vuln assessments and audits
- Check and double check patch management
- Change management
- Monitoring and followup
Improve architecture to reduce risk
- Multiple firewalls, from different vendors
- IDS monitoring
- Monitoring of load on servers and networks
Goal here is to make it hard to get through to the soft core.
A good source of information on who’s attacking you, but not legal in all countries (can be seen as tempting attackers).